The aim of the document is to present different working scenarios for One Identity Safeguard for Privileged Sessions (SPS) when RDP monitoring is required and present some best practices for those scenarios. Also, it is intended to demonstrate possible issues with different scenarios. Please note it is only an extract of the official Administration Guide, emphasizing the most important RDP specific topics, so in any case please refer to the official documentation cover this and other topics as well.
This is only an extract of Administration Guide, emphasizing the most common RDP-specific topics.
The core network device alters the traffic and directs packets to be monitored through SPS (seamless integration: no change required on the computers and servers in the network).
CRL includes a list of the serial numbers of revoked certificates and it must have made publicly available by the PKI service that generates the certificates. Microsoft RDP Client rigorously checks the availability of CRLs.
Gateway authentication requires a secondary logon before the authentication on the remote server, so rules defined on the gateway (in this case SPS) can be evaluated and applied. With gateway authentication it is possible to limit access to specific resources (for example specific sub-channels) to specific local or central groups. It also allows to use usermapping.
SPS placed directly between the source and destination. This means that the client’s and server’s gateway is changed to SPS's address.
MitM is a required method to be able to decode encrypted traffic. SPS must be placed between the source and the destination of the encrypted traffic, so the client connection attempt to the destination server will be terminated at SPS, decoded, recorded and SPS will establish a second, also encrypted channel to the original destination server. Because this breaks the original encryption chain, some additional measures (for example signing CA) must be applied to avoid warnings.
User will change the destination host to SPS where some kind of gateway authentication performed (or in some cases not-performed), then SPS will establish the connection to the original destination server.
A system placed between two different zones to allow monitoring the traffic between them. The monitored traffic must be passed through the proxy to allow it to be monitored. SPS is a proxy-based solution.
A public key infrastructure (PKI) is a set of roles, policies, and procedures required to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption.
A proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software.
One Identity Safeguard for Privileged Sessions is a user monitoring appliance that controls privileged access to remote IT systems, records activities in searchable, movie-like audit trails, and prevents malicious actions.
CA certificate installed on SPS to allow generating certificates for TLS layer of different protocols. RDP implementation of SPS also requires TLS layer.
Service developed by Microsoft to provide authentication front-end for Remote Desktop Services. One Identity provides an own implementation of RD Gateway (Remote Desktop Gateway) in SPS
In transparent mode the user will connect to the original destination server, however the traffic will be passed through the proxy for recording and analysis. From the user perspective there should be no difference between the monitored and not-monitored traffic.
With usermapping SPS can allow / deny using generic accounts (for example Administrator) based on group membership and can map real users to generic accounts.
Certain components of the solution (for example TS-GW TLS layer, Signing-CA) require trusted certificates. It means if the common name parameter of the certificate is different from the DNS name user trying to connect, or the signing CA is not trusted by the client, the connection may fail or generate an error. This is especially true when TS-GW is in use, because the MS RDP client (mstsc) requires a fully trusted third party certificate for this function.
SPS must be part of the target domain, and users can log on to only one domain unless there is a trust relationship between the different domains. For details on using SPS with multiple domains, see Network Level Authentication (NLA) with domain membership.
To avoid certificate warnings, configure a signing CA that is trusted by the clients for the connection between the client and SPS.
The One Identity Safeguard for Privileged Sessions connection policies can work in different network models to make it easy to integrate it into an existing network. These two modes are transparent, and non-transparent modes (for details on modes of operation, see "Modes of operation" in the Administration Guide). The aim is usually the transparent implementation. Although the non-transparent mode can provide some transparency, it is not the best to be used for that purpose.
For the easy-to-deploy and totally transparent solution the transparent mode would be the best. This mode requires integrating SPS in the network level, so all the administrative traffic could pass the box to make it controllable and auditable (for details and illustrations on transparent mode, see "Transparent mode" in the Administration Guide).
Figure 1: SPS in transparent mode
In most cases it is not possible, or not optimal to integrate SPS into the network as in the abovementioned example, because it would require significant changes to the network topology, and SPS could act as a single point of failure. However, it is possible to use SPS in transparent mode transparently without changing the network layout, with a few additional configuration steps in some of the active network devices (firewalls or routers) and the SPS itself.
Remote Desktop Gateway (RD Gateway) cannot be used, only out-of-band gateway authentication is possible
Because of this, user mapping is not possible unless out-of-band gateway authentication is implemented, where the gateway authentication is performed using the web interface of SPS.